e2a042f066
Fix CVE-2013-4148 (bnc#864812), CVE-2013-4149 (bnc#864649), CVE-2013-4150 (bnc#864650), CVE-2013-4151 (bnc#864653), CVE-2013-4526 (bnc#864671), CVE-2013-4527 (bnc#864673), CVE-2013-4529 (bnc#864678), CVE-2013-4530 (bnc#864682), CVE-2013-4531 (bnc#864796), CVE-2013-4533 (bnc#864655), CVE-2013-4534 (bnc#864811), CVE-2013-4535 / CVE-2013-4536 (bnc#864665), CVE-2013-4537 (bnc#864391), CVE-2013-4538 (bnc#864769), CVE-2013-4539 (bnc#864805), CVE-2013-4540 (bnc#864801), CVE-2013-4541 (bnc#864802), CVE-2013-4542 (bnc#864804), CVE-2013-6399 (bnc#864814), CVE-2014-0182 (bnc#874788) OBS-URL: https://build.opensuse.org/request/show/235280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=211
65 lines
2.2 KiB
Diff
65 lines
2.2 KiB
Diff
From e3f320a759052a77b4da97618a94f8adcb0a6490 Mon Sep 17 00:00:00 2001
|
|
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 3 Apr 2014 19:50:39 +0300
|
|
Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2013-4148 QEMU 1.0 integer conversion in
|
|
virtio_net_load()@hw/net/virtio-net.c
|
|
|
|
Deals with loading a corrupted savevm image.
|
|
|
|
> n->mac_table.in_use = qemu_get_be32(f);
|
|
|
|
in_use is int so it can get negative when assigned 32bit unsigned value.
|
|
|
|
> /* MAC_TABLE_ENTRIES may be different from the saved image */
|
|
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
|
|
|
|
passing this check ^^^
|
|
|
|
> qemu_get_buffer(f, n->mac_table.macs,
|
|
> n->mac_table.in_use * ETH_ALEN);
|
|
|
|
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
|
|
positive and bigger than mac_table.macs. For example 0x81000000
|
|
satisfies this condition when ETH_ALEN is 6.
|
|
|
|
Fix it by making the value unsigned.
|
|
For consistency, change first_multi as well.
|
|
|
|
Note: all call sites were audited to confirm that
|
|
making them unsigned didn't cause any issues:
|
|
it turns out we actually never do math on them,
|
|
so it's easy to validate because both values are
|
|
always <= MAC_TABLE_ENTRIES.
|
|
|
|
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
|
|
[AF: BNC#864812]
|
|
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
|
---
|
|
include/hw/virtio/virtio-net.h | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
|
|
index df60f16..4b32440 100644
|
|
--- a/include/hw/virtio/virtio-net.h
|
|
+++ b/include/hw/virtio/virtio-net.h
|
|
@@ -176,8 +176,8 @@ typedef struct VirtIONet {
|
|
uint8_t nobcast;
|
|
uint8_t vhost_started;
|
|
struct {
|
|
- int in_use;
|
|
- int first_multi;
|
|
+ uint32_t in_use;
|
|
+ uint32_t first_multi;
|
|
uint8_t multi_overflow;
|
|
uint8_t uni_overflow;
|
|
uint8_t *macs;
|